Blog

Windows Vulnerability Found Using VCard Files

There's a new zero-day vulnerability in Windows 10 you need to be aware of. As with all zero-day threats, this one is dangerous in the extreme, allowing a hacker to potentially execute code on your machine remotely.

It was discovered by security researcher John Page, and reported to the company via Trend Micro's Zero-Day Initiative more than six months ago.

To date, the company has refused to patch their software in response. In fact, the issue hasn't even received a CVE number yet.

The issue resides within the processing of a vCard file, which is a standard file format used by Microsoft Outlook to store contact information. Each vCard has space for the contact's website. Unfortunately, a hacker can plug in whatever value they like there, including a web address pointing to a file that can be downloaded and remotely executed on the target machine. All it takes is for the victim to click on the link in the poisoned vCard.

Page has published a proof of concept for the exploit, which has been assigned a CVSS 23.0 score of 7.8. It would have been even higher than that, but in order to be successful, the exploit does require action on the user's part (the link in the vCard actually has to be clicked).

Even considering this, it seems strange that Microsoft wouldn't take steps to fix the issue, or at least to assign it a CVE number. Leaving this exploit un-patched opens the door to abuse. It's like hanging a neon sign above every installation of Microsoft Outlook, begging hackers to take advantage of it.

To this point, we know of no instances of this attack being used in the wild, but it's just a matter of time. Our hope is that Microsoft will take steps to address the problem sooner, rather than later.

No Catch. No Obligation.
Stay ahead of the hackers with tips for setting up safe Work From Home networks and gain an opportunity to receive a FREE Copy of the Business Guide to Setting Up Work from Home or Remote Network Access.

First Name *

Last Name *

Company *

Email *

Phone

“Extremely helpful and well organized”

The webinar was excellent, it didn’t last too long, yet was very informative. It was well organized, and the staff was friendly and helpful.

David MonroeSierra Management & Technologies Inc.

“eTrepid is very responsive, loyal, sophisticated and professional.”

I was able to identify ways to improve efficiencies after the recent business review they performed. I am very happy with the service I receive from eTrepid.